Here's what I have,
index=blah | bucket span=1d _time | chart count(id) over _time by src
_time src1 src2 day1 100 200 day2 110 180 day3 105 100 day4 90 210
Now heres what I am looking for, given a time window produce & variation from start of time period per source. Start of the time period is considered as baseline (0%). I am looking for a way to refer to first bucket value to compute this % values. End result should look like something below.
_time src1 src1% src2 src2% day1 100 0% 200 0% day2 110 10% 180 -10% day3 105 5% 100 0% day4 90 -10% 210 5%
Is there a way to use _time as key? If yes how?
I've re-created your scenario after the chart like this:
| gentimes start=-1 increment=2h | streamstats count as day | fields day | eval value=(random()%200) | appendpipe [stats count as day | eval day=0 | eval value=100] | sort + day
Running that produces a table similar to your first result. Using that, I've built a table similar to your desired second result like this:
... | eventstats first(value) as baseline | eval diff=(value-baseline)/baseline | fieldformat diff = round(diff*100,2)."%" | table day value diff
The end result looks something like this:
day value diff 0 100 0.00% 1 70 -30.00% 2 47 -53.00% 3 156 56.00% 4 181 81.00% 5 130 30.00% 6 155 55.00% 7 192 92.00% 8 137 37.00% 9 110 10.00% 10 7 -93.00% 11 100 0.00% 12 133 33.00%
I was able to produce A. as below,
index=blah | bucket span=1h _time | stats count(id) as cnt by _time, src | table _time, src, cnt | xyseries _time src cnt
but having difficulties in creating diff per src. How can I create multiple fields at once?
Martin, thanks for replying. I see your point. Looks like a great approach for single series of data. I am having difficulties applying same on multiple time series data.
As you can see in my above example I have matrix of data for each "src". Hence I am using bucket/span along with chart to produce 1st table.
In order to use your approach,
A. I need to bring data in tabular without using chart and "over" feature.
B. Generate diff per src as final solution.